CN101645900A - Cross-domain rights management system and method - Google Patents
Cross-domain rights management system and method Download PDFInfo
- Publication number
- CN101645900A CN101645900A CN200910169756A CN200910169756A CN101645900A CN 101645900 A CN101645900 A CN 101645900A CN 200910169756 A CN200910169756 A CN 200910169756A CN 200910169756 A CN200910169756 A CN 200910169756A CN 101645900 A CN101645900 A CN 101645900A
- Authority
- CN
- China
- Prior art keywords
- user
- application
- authority
- certificate
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a cross-domain rights management system, comprising a front-end acting module, an identity authentication module, a rights confirmation module and a database; the front-end acting module is used for constructing data transmission channels between users and application systems, between application systems and the identity authentication module, and between the application systems and the rights confirmation module; the identity authentication module supports identity certificates awarded by multiple certification authorities to carry out identity authentication on usersaccessing in the application systems; the rights confirmation module is oriented to all the application systems of the whole cross-domain rights management system and is used for confirming the accessrights of users to the application systems and transmitting the confirmed access rights to the front-end acting module; the database is used for storing data related to users, multiple certificationauthorities and multiple application systems. In addition, the invention also discloses a cross-domain rights management method. The system and the method provided by the invention can realize rightsmanagement of cross trust domain and application domain, enables application systems therein to have enough adaptability and expansibility, and improves access efficiency for users simultaneously.
Description
Technical field
The present invention relates to information security technology, in particular to a kind of cross-domain user authority management system and correlation technique.
Background technology
Along with the high speed development of society and economy, computer network is being brought into play more and more important effect, and for example all kinds of companies, government bodies set up the IT architectures of using, serving more gradually.As a rule, present employed types of applications, service system are to adopt different technology buildings by different developers at different times, as: mailing system, internal office work system of government, official document management system, calling system, generalized information system etc.In these application systems, because differences such as the base frame of system, coded system, application resource type, and the authentication, user management, the authentication management system that make most of application systems all adopt to have a style of one's own, yet can limit information sharing and information exchange between the types of applications system like this, the information island of formation.Especially the fast development of identity identifying technology, various places CA (Certificate Authority, certification authority, its core function is distribution ﹠ management user's a numerical value certificate) can be local types of applications system granting by the digital identity certificate of being assert separately, yet these digital certificates are not general, can not authenticate mutually, so just, produced such situation: promptly, though can guarantee information resources safety, but, make each application system become more independent at the barrier that has but strengthened virtually between each application system.
As from the foregoing, each CA is all users' identity legitimacy authority in its territory of administering, and does not then have this authority and render a service in another field, so different territories all has the legitimacy authority of different CA as user identity.At present, the CA that application system can be trusted in the field, own place is the certificate that the end user issued, so these end users can use this CA to login this application system for its certificate of issuing, so just make different application systems all only trust the certificate that CA issued in the territory of own place.Yet the needs that for domestic consumer, have in actual applications, the application system of visiting the different field scope simultaneously.
Based on this, those skilled in the art has proposed the problem of cross-domain rights management.Currently used cross-domain rights management generally includes following manner: a kind of mode is to allow each application system remove to support the CA in more other fields; Another kind of mode is to use cross-certification to solve the problem of the cross-domain visit of user.But in actual applications, all there is following shortcoming in this dual mode: promptly, realize that difficulty is big, be difficult to management, and popular application container do not provide support all etc., this has greatly increased the development difficulty of system.
For this reason, a new problem is just put in face of those skilled in the art: promptly, how to make up a Rights Management System, make it not only support many ca authentications mechanism but also support many application systems.
Summary of the invention
For addressing the above problem, the invention provides a kind of cross-domain rights management system and cross-domain rights management method, it can realize crossing over the rights management of trust domain and application domain, and makes application system wherein can have enough adaptability and expansion, can improve user capture efficient simultaneously.
For this reason, the invention provides a kind of cross-domain rights management system, it comprises authentication module, authority affirmation module, database, a plurality of application system and the front-end proxy agent module that is arranged on its front end corresponding to each application system.Wherein, described front-end proxy agent module be used between user and the application system, between application system and the authentication module and application system and authority confirm to set up data transmission channel between the module, to carry out data interaction; Described authentication module is supported the letter of identity that a plurality of certification authorities issue, be used for the user who attempts to visit described application system is carried out authentication, and with the authenticating user identification result transmission to described front-end proxy agent module; Described authority is confirmed the whole application systems of module faces in whole cross-domain rights management system, be used for confirming the access rights of user for this application system according to the related data of storing from the user right query requests and the database of front-end proxy agent module, and the access privilege after will confirming transfers to the front-end proxy agent module, whether can visit this application system so that described front-end proxy agent module is determined the user; And described database is used to store and described user, described a plurality of certification authorities and the relevant data of described a plurality of application system.
Wherein, described authentication module comprises authentication service interface, certificate verification unit and certification authority's administrative unit.Described authentication service interface be used for from the authenticating user identification request of this authentication module outside and related information transmission to the certificate verification unit, and will be from the authenticating user identification result of certificate verification unit to this authentication module external transmission; Described certificate verification unit is used for according to send the request of searching certification authority from the authenticating user identification request of authentication service interface and to certification authority's administrative unit, and after certification authority's administrative unit confirms that this user identity certificate is to be issued by the certification authority that this authentication module is supported, this user identity certificate is authenticated, and authentication result is transferred to described authentication service interface; And described certification authority administrative unit confirms according to the related data of storing in described request of searching certification authority and the database whether described user identity certificate is the certificate that certification authority issued of this authentication module support, and with result transmission to described certificate verification unit.
Wherein, described certification authority administrative unit is also carried out following operation: add certification authority and/or deletion certification authority and/or certification authority's information is deleted, added and checks.
Wherein, described certification authority administrative unit is also carried out following setting: for each certification authority is provided with the root certificate, whether the verification certificate status is set, the certificate verification mode is set and CRL management and OCSP service information management function are set.
Wherein, the described certification authority administrative unit certification authority that confirms to issue described user identity certificate according to the certification authority's key identifier that is comprised in the user identity certificate and/or the DN of certification authority.
Wherein, described certificate verification unit authenticates specifically described user identity certificate and comprises: user identity certificate is carried out the checking of certificate validity checking, certificate legitimate verification and certificate status.
Wherein, described authority confirms that module comprises inquiry service interface, authority recognition unit and application management unit.Described inquiry service interface is used for setting up data transmission channel between front-end proxy agent module and authority recognition unit, with will be, and will transfer to the front-end proxy agent module from the user right Query Result of authority recognition unit from the user right query requests of described front-end proxy agent module and related information transmission to described authority recognition unit; Described authority recognition unit is used for according to send the request of searching application message from the user right query requests of described inquiry service interface and target URL and to the application management unit, and according to the user being discerned at the property rights of this application by the determined application message in application management unit, then will with the user right message transmission to described inquiry service interface; The request of application message is searched and the associated storage data in the database are determined the information relevant with this application according to described in described application management unit, and this application message transferred to described authority recognition unit, so that the authority recognition unit uses this application message and the user is discerned at the property rights of this application.
In addition, the present invention also provides a kind of cross-domain rights management method, and it is applicable to cross-domain rights management system.Described method comprises the steps: 1) information of a plurality of certification authorities that cross-domain rights management system is supported and the user identity certificate that described a plurality of certification authority issued store; 2) setting and storage information relevant with a plurality of application systems and user are at the access authority information of each application system; 3), the user of access application system is carried out authentication according to the information of storage user identity certificate and a plurality of certification authorities; 4) after the user who determines the described application system of visit has effective identity, determine the access rights of user at the access rights of each application system for described application system according to information relevant of being stored and user with a plurality of application systems; And 5) after definite user has access rights to described application system, allow the described application system of this user capture.
Wherein, described step 3) specifically comprises the steps: 31) confirm the certification authority of described user identity certificate according to the certification authority's key identifier that is comprised in the user identity certificate and/or the DN of certification authority, whether the issuing organization of confirming user identity certificate is the issuing organization of being stored in the step 1), if then forward step 32 to); If not, then point out by authentication; 32) validity, legitimacy and this certificate current state of affirmation user identity certificate.
Wherein, described step 4) specifically comprises the steps: 41) search application corresponding information according to user right query requests and target URL; 42) according to the application message that finds and user profile the user is discerned at the property rights of this application system, to determine the access rights of user for this application system.
With respect to prior art, the present invention has following beneficial effect:
Because cross-domain rights management system provided by the invention has the authentication module that can support a plurality of certification authorities, and the user who attempts the access application system is carried out authentication by it, like this, no matter these users belong to same certification authority, still belong to different certification authorities respectively, as long as the certification authority that it belonged to is in described a plurality of certification authority any one, this authentication module just can be carried out authentication to it so, like this, this cross-domain rights management system has just realized crossing over the rights management of trust domain.Simultaneously, because having the authority of the whole application systems in the whole cross-domain rights management system, cross-domain rights management system provided by the invention confirms module, and be provided with the front-end proxy agent module at each application system, like this, as long as the front-end proxy agent module is to user and this application system relevant information and the respective request of this authority affirmation module transmission with the access application system, this authority affirmation module just can confirm whether this user enjoys access rights to this application system so, and no matter whether this user belongs to this application system, that is to say, so long as belong to the user in this cross-domain rights management system and it has been carried out corresponding mandate, then this user just can visit any application system with corresponding mandate.By being that cross-domain rights management system provided by the invention can also realize crossing over the rights management of application domain.
Similarly, cross-domain rights management method provided by the invention can realize crossing over the rights management of trust domain and application domain equally.
As from the foregoing, cross-domain rights management system provided by the invention and method can guaranteed under the prerequisite of Information Security, farthest make application system wherein can have enough adaptability and expansion, inconvenience when significantly reducing the different trust domain of user capture, application domain has simultaneously improved user's access efficiency.
Description of drawings
The overall construction drawing of the cross-domain rights management system that Fig. 1 provides for specific embodiment of the present invention;
Fig. 2 is the concrete structure figure of authentication module shown in Figure 1;
Schematic flow sheet when Fig. 3 carries out authentication for authentication module shown in Figure 2;
And
The schematic flow sheet of the cross-domain rights management method that Fig. 4 provides for specific embodiment of the present invention.
Embodiment
For making those skilled in the art person understand technical scheme of the present invention better, cross-domain rights management system provided by the invention and cross-domain rights management method are described in detail below in conjunction with accompanying drawing.
At first, some terms involved in the present invention are defined.Because in the last few years, be accompanied by popularizing that develop rapidly of digital identification authentication technology and national information build, the notion in some territories often mentioned by the people, for example security domain, trust domain, application domain or the like.For fear of obscuring, be necessary at this " territory " involved in the present invention to be done a definition explanation: the present invention said " territory " comprises trust domain and application domain, it serves as to divide benchmark that so-called trust domain is meant with CA mechanism, that is to say that will be carried out digital authenticating and be used unified the incorporating into of entity and individual of its digital certificate of providing by same CA mechanism be a trust domain; So-called application domain is meant with the application system to be to divide benchmark, and it is an application domain that a related scope (it user who comprises, resource etc.) of application system is incorporated into.In fact, in the trust domain a plurality of application domains can be arranged, also a plurality of trust domain can be arranged in the application domain, and under some particular case, the scope of trust domain and application domain also can be fully overlapping.
Next, see also Fig. 1 and Fig. 2, wherein, Fig. 1 shows the cross-domain rights management system that specific embodiment of the present invention provides; The concrete structure figure of the authentication module that Fig. 2 shows among the present invention to be adopted.
As shown in the figure, the cross-domain rights management system that present embodiment provides comprises that authentication module, authority are confirmed module, database, (application system 1, application system 2 are until application system n for a plurality of application system, at this, n is for greater than 2 integer) and (front-end proxy agent module 1, front-end proxy agent module 2 are until front-end proxy agent module n to be arranged on the front-end proxy agent module of its front end corresponding to each application system, at this, n is the integer greater than 2).
Wherein, the front-end proxy agent module be used between user and the application system, between application system and the authentication module and application system and authority confirm to set up data transmission channel between the module, to carry out data interaction.In fact, the part of functions of front-end proxy agent module is similar to the login module at application system.
Authentication module is supported the letter of identity that a plurality of certification authority issues, and the user that the related data that is used for storing according to database is visited described application system to desire carries out authentication, and with the authenticating user identification result transmission to described front-end proxy agent module.
Authority is confirmed the whole application systems of module faces in whole cross-domain rights management system, be used for confirming the access rights of user for this application system according to the related data of storing from the user right query requests and the database of front-end proxy agent module, and the access privilege after will confirming transfers to described front-end proxy agent module, whether can visit this application system so that the front-end proxy agent module is determined the user.
It is to be noted, authority is confirmed the access rights that module is a kind of coarseness at this access privilege of confirming, that is to say, be to confirm whether the user has the authority that signs in to this application system, be similar to corresponding rights management in the prior art as for the user at the authority of the concrete data resource in the application system and administrative class thereof, do not repeat them here.
Database is used to store and described user, described a plurality of certification authorities and the relevant data of described a plurality of application system.
Be understandable that, cross-domain rights management system provided by the invention has (for example can support a plurality of certification authorities, certification authority 1, the m of certification authority, wherein m is the integer greater than 1) authentication module, and the user who attempts the access application system is carried out authentication by it, like this, no matter these users belong to same certification authority, still belong to different certification authorities respectively, as long as the certification authority that it belonged to is in described a plurality of certification authority any one, this authentication module just can be carried out authentication to it so, and like this, this cross-domain rights management system has just realized crossing over the rights management of trust domain.Simultaneously, because cross-domain rights management system provided by the invention has the whole application systems (application system 1 in the whole cross-domain rights management system, application system 2 ... application system n, wherein n is the integer greater than 2) authority confirm module, and be provided with the front-end proxy agent module at each application system, like this, as long as the front-end proxy agent module is to user and this application system relevant information and the respective request of this authority affirmation module transmission with the access application system, this authority affirmation module just can confirm whether this user enjoys access rights to this application system so, and no matter whether this user belongs to this application system, that is to say, so long as belong to the user in this cross-domain rights management system and it carried out corresponding mandate, then this user just can visit any application system with corresponding mandate, for example the user in the application system 1 also can be allowed to access application system 2 having under the prerequisite of corresponding authority.Like this, the cross-domain rights management system provided by the invention rights management that can also realize crossing over application domain.
Below authentication module and authority are confirmed that module is described in detail respectively.
The authentication module that is adopted in the present embodiment can be supported many ca authentications, replacing authentication module isolated separately in the original system, and concentrate, uniform identity authentication.Particularly, authentication module can comprise authentication service interface, certificate verification module, certification authority's administration module and database.
Wherein, described authentication service interface is used for from this authentication module outside (for example, from user and/or front-end proxy agent module) the authenticating user identification request and related information transmission to the certificate verification unit, and will be from the authenticating user identification result transmission of certificate verification unit to this authentication module outside (for example, from user and/or front-end proxy agent module).
Described certificate verification unit is used for according to send the request of searching certification authority from the authenticating user identification request of authentication service interface and to certification authority's administrative unit, and after certification authority's administrative unit confirms that this user identity certificate is to be issued by the certification authority that this authentication module is supported, this user identity certificate is authenticated, and authentication result is transferred to described authentication service interface.
Particularly, after certification authority's administrative unit confirms that this user identity certificate is to be issued by the certification authority that this authentication module is supported, the certificate verification unit carries out following checking to this user identity certificate: promptly, and the checking of certificate validity checking, certificate legitimate verification and certificate status.
Described certification authority administrative unit is according to confirming that from canned data in the request of searching certification authority of certificate verification unit and the database whether user certificate is the certificate that certification authority that this authentication module is supported issues, and the result is sent to the certificate verification unit.The certification authority that this certification authority's administrative unit can confirm to issue described user identity certificate according to the certification authority's key identifier that is comprised in the user identity certificate and/or the DN of certification authority.
In the practical application, described certification authority administrative unit is also carried out following operation: add certification authority and/or deletion certification authority and/or certification authority's information is deleted, added and checks.And, certification authority's administrative unit is also carried out following setting: for each certification authority is provided with the root certificate, whether the verification certificate status is set, the certificate verification mode is set and CRL (Certificate revocation lists is set, the certificate revocation tabulation, also claim the certificate blacklist) management and OCSP (Online Certificate Status Protocol, online certificate status protocol) service information management function.By means of this certification authority's administrative unit, authentication module can manage the certification authority of its trust, for realizing that the support of many CA is laid the foundation.
The authority that is adopted in the present embodiment confirms that module can comprise inquiry service interface, authority recognition unit and application management unit.
Wherein, described inquiry service interface is used for setting up data transmission channel between front-end proxy agent module and authority recognition unit, with will be, and will transfer to the front-end proxy agent module from the user right Query Result of authority recognition unit from the user right query requests of described front-end proxy agent module and related information transmission to described authority recognition unit.
Described authority recognition unit is used for according to user right query requests and target URL (Uniform Resource Locator from described inquiry service interface, uniform resource locator) sends the request search application message and to the application management unit, and according to the user being discerned at the property rights of this application by the determined application message in application management unit, then will with the user right message transmission to described inquiry service interface.
The request of application message is searched and the associated storage data in the database are determined the information relevant with this application according to described in described application management unit, and this application message transferred to described authority recognition unit, so that the authority recognition unit uses this application message and the user is discerned at the property rights of this application.
In actual applications, cross-domain rights management system manages each application system by the application management unit, and each shielded application system all must be registered in the application management unit.Need be provided with during registered application the type (BS, CS) of unique identification, the application system of title, the application system of application system, the access way of application system (Agent, simulation generation fill out etc.), application system address, application system communication type (expressly, ciphertext) and need use the extraneous information transmitted etc. to this.
After each application system is finished registration in the application management unit, when a certain user attempt to visit in the above-mentioned cross-domain rights management system a certain application system (for example, application system 1) time, be arranged on this application system 1 front end and the front-end proxy agent module (Agent) 1 relevant with this application system 1 can check whether the user confirms by authentication and authority, if not, then carry out following operation: make the user turn to authentication module to carry out authentication, the application system URL that the user is attempted to visit passes to authority affirmation module simultaneously, confirm that by authority module discerns the address of the application system registered in this URL and the application management unit one by one, and then definite user attempts to visit is which application system, and after determining application system, confirm module taking-up application identities (unique identification of the application system that defines in the authority affirmation module) by authority, can find all information relevant by the authority identify unit, for example: access control rule information with this application system, the user in this application system from account information etc.
After the user successfully confirms by authentication and authority, transmit URL and the user is gone back to application system according to aforementioned front-end proxy agent module.At this moment, the front-end proxy agent module is confirming whether the user by after authentication and finishing the authority affirmation, can visit this application system according to access control information decision user.
See also Fig. 3, the schematic flow sheet when wherein showing the authentication module of supporting many CA shown in Figure 2 and carrying out authenticating user identification.
Wherein, in step 210, according to user's digital identity certificate, user related information be stored in certification authority's information in the database in advance, confirm the certification authority of this letter of identity, that is, and the issuing organization of this letter of identity.
Particularly, when the user attempted to visit certain application system, this application system can be given the user authentication module (for example authentication gateway) and be carried out authentication.At this moment, the user can show the letter of identity of oneself to the authentication gateway, can search its certification authority when the authentication gateway receives the letter of identity of user's submission.This authentication gateway designs two kinds of lookup methods, when comprising issuer key identifier expansion item in user's the letter of identity, because of the issuer key identification in user's the letter of identity equates with the theme key identification of certification authority, so the authentication gateway uses the issuer key identification in this expansion item just can find its certification authority in certification authority's management.When not comprising the expansion of issuer key identification in user's the letter of identity, the authentication gateway just uses the issuer DN in the user identity certificate to search its certification authority.
Whether before the deadline step 220 after the certification authority that the certification authority that confirms user identity certificate is supported for this identity authentication gateway, verifies this user identity certificate again, if, then forward step 240 to, proceed subsequent authentication; If not, then forward step 230 to.
Not before the deadline mistake of letter of identity appears in step 230, prompting, and indication is by authentication.
Step 240 verifies whether this letter of identity is legal, promptly, CA signing messages by this digital certificate of verification is verified trusting relationship, verifies just whether this user identity certificate is that certification authority issues under it, if, then forward step 260 to, to proceed subsequent authentication; If not, then forward step 250 to.
Step 250, it is not the mistake that its certification authority issues that letter of identity appears in prompting, and indication is by authentication.
Step 260, after confirming that trusting relationship is proved to be successful, continue the state of this user identity certificate of checking, particularly, according in certification authority's configuration information of user certificate the configuration of information such as CRL, OCSP service being carried out verification to the state of user certificate, if user certificate is frozen or cancellation, then state verification can not pass through, and forwards step 270 to; If the user certificate state is normal, forward step 280 to.
Step 270, the invalid mistake of letter of identity current state appears in prompting, and indication is by authentication.
Step 280, prompting user's letter of identity is the authentication by gateway successfully, and whole certificate verification process finishes.
As another technical scheme, the present invention also provides a kind of cross-domain rights management method, and it is applicable to cross-domain rights management system.Below in conjunction with embodiment illustrated in fig. 4 method provided by the invention is elaborated.
As shown in the figure, the cross-domain rights management method that provides of present embodiment comprises the steps:
Step 430 according to the information of storage user identity certificate and a plurality of certification authorities, is carried out authentication to the user of access application system.
Particularly, confirm the certification authority of described user identity certificate according to the certification authority's key identifier that is comprised in the user identity certificate and/or the DN of certification authority, whether the issuing organization of confirming user identity certificate is the issuing organization of being stored in the step 410, if the validity, legitimacy and this certificate current state that then continue user identity certificate are verified; If not, then point out by authentication.Detailed process is similar to the front and describes in conjunction with Fig. 3, does not repeat them here.
Step 440 after the user who determines the described application system of visit has effective identity, is determined the access rights of user for described application system according to information relevant with a plurality of application systems of being stored and user at the access rights of each application system.
Particularly, search application corresponding information according to user right query requests and target URL, and according to the application message that finds and user profile the user is discerned at the property rights of this application system, to determine the access rights of user for this application system.
Step 450 after definite user has access rights to described application system, allows the described application system of this user capture.
As from the foregoing, adopt cross-domain rights management system provided by the invention and cross-domain rights management method, can support at the same time on the basis of digital authenticating of how tame CA, the application system that adapts to number of different types, for it provides the information resources framework and the role-security set-up function of on-demand customization, guaranteeing under the prerequisite of Information Security, farthest making application system can have enough adaptability and expansion.That is to say that cross-domain rights management system provided by the invention and method not only can realize crossing over the rights management of trust domain, but also the rights management that can realize crossing over application domain.
Be understandable that above execution mode only is the illustrative embodiments that adopts for principle of the present invention is described, yet the present invention is not limited thereto.For those skilled in the art, without departing from the spirit and substance in the present invention, can make various modification and improvement, these modification and improvement also are considered as protection scope of the present invention.
Claims (10)
1. a cross-domain rights management system is characterized in that, comprises authentication module, authority affirmation module, database, a plurality of application system and the front-end proxy agent module that is arranged on its front end corresponding to each application system, wherein
Described front-end proxy agent module be used between user and the application system, between application system and the authentication module and application system and authority confirm to set up data transmission channel between the module, to carry out data interaction;
Described authentication module is supported the letter of identity that a plurality of certification authorities issue, be used for the user who attempts to visit described application system is carried out authentication, and with the authenticating user identification result transmission to described front-end proxy agent module;
Described authority is confirmed the whole application systems of module faces in whole cross-domain rights management system, be used for confirming the access rights of user for this application system according to the related data of storing from the user right query requests and the database of front-end proxy agent module, and the access privilege after will confirming transfers to the front-end proxy agent module, whether can visit this application system so that described front-end proxy agent module is determined the user; And
Described database is used to store and described user, described a plurality of certification authorities and the relevant data of described a plurality of application system.
2. cross-domain rights management system according to claim 1 is characterized in that, described authentication module comprises authentication service interface, certificate verification unit and certification authority's administrative unit, wherein
Described authentication service interface be used for from the authenticating user identification request of this authentication module outside and related information transmission to the certificate verification unit, and will be from the authenticating user identification result of certificate verification unit to this authentication module external transmission;
Described certificate verification unit is used for according to send the request of searching certification authority from the authenticating user identification request of authentication service interface and to certification authority's administrative unit, and after certification authority's administrative unit confirms that this user identity certificate is to be issued by the certification authority that this authentication module is supported, this user identity certificate is authenticated, and authentication result is transferred to described authentication service interface; And
Described certification authority administrative unit confirms according to the related data of storing in described request of searching certification authority and the database whether described user identity certificate is the certificate that certification authority issued of this authentication module support, and with result transmission to described certificate verification unit.
3. cross-domain rights management system according to claim 2 is characterized in that, described certification authority administrative unit is also carried out following operation: add certification authority and/or deletion certification authority and/or certification authority's information is deleted, added and checks.
4. cross-domain rights management system according to claim 2, it is characterized in that described certification authority administrative unit is also carried out following setting: for each certification authority is provided with the root certificate, whether the verification certificate status is set, the certificate verification mode is set and CRL management and OCSP service information management function are set.
5. cross-domain rights management system according to claim 2, it is characterized in that the certification authority that described certification authority administrative unit confirms to issue described user identity certificate according to the certification authority's key identifier that is comprised in the user identity certificate and/or the DN of certification authority.
6. cross-domain rights management system according to claim 2, it is characterized in that described certificate verification unit authenticates specifically described user identity certificate and comprises: user identity certificate is carried out the checking of certificate validity checking, certificate legitimate verification and certificate status.
7. cross-domain rights management system according to claim 6 is characterized in that, described authority confirms that module comprises inquiry service interface, authority recognition unit and application management unit, wherein
Described inquiry service interface is used for setting up data transmission channel between front-end proxy agent module and authority recognition unit, with will be, and will transfer to the front-end proxy agent module from the user right Query Result of authority recognition unit from the user right query requests of described front-end proxy agent module and related information transmission to described authority recognition unit;
Described authority recognition unit is used for according to send the request of searching application message from the user right query requests of described inquiry service interface and target URL and to the application management unit, and according to the user being discerned at the property rights of this application by the determined application message in application management unit, then will with the user right message transmission to described inquiry service interface;
The request of application message is searched and the associated storage data in the database are determined the information relevant with this application according to described in described application management unit, and this application message transferred to described authority recognition unit, so that the authority recognition unit uses this application message and the user is discerned at the property rights of this application.
8. a cross-domain rights management method is applicable to cross-domain rights management system, it is characterized in that, described method comprises the steps:
1) information of a plurality of certification authorities that cross-domain rights management system is supported and the user identity certificate that described a plurality of certification authority issued are stored;
2) setting and storage information relevant with a plurality of application systems and user are at the access authority information of each application system;
3), the user of access application system is carried out authentication according to the information of storage user identity certificate and a plurality of certification authorities;
4) after the user who determines the described application system of visit has effective identity, determine the access rights of user at the access rights of each application system for described application system according to information relevant of being stored and user with a plurality of application systems; And
5) after definite user has access rights to described application system, allow the described application system of this user capture.
9. cross-domain rights management method according to claim 8 is characterized in that, specifically comprises the steps: in the described step 3)
31) confirm the certification authority of described user identity certificate according to the certification authority's key identifier that is comprised in the user identity certificate and/or the DN of certification authority, whether the issuing organization of confirming user identity certificate is the issuing organization of being stored in the step 1), if then forward step 32 to); If not, then point out by authentication;
32) validity, legitimacy and this certificate current state of affirmation user identity certificate.
10. cross-domain rights management method according to claim 8 is characterized in that, specifically comprises the steps: in described step 4)
41) search application corresponding information according to user right query requests and target URL;
42) according to the application message that finds and user profile the user is discerned at the property rights of this application system, to determine the access rights of user for this application system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101697568A CN101645900B (en) | 2009-08-31 | 2009-08-31 | Cross-domain rights management system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101697568A CN101645900B (en) | 2009-08-31 | 2009-08-31 | Cross-domain rights management system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101645900A true CN101645900A (en) | 2010-02-10 |
| CN101645900B CN101645900B (en) | 2012-08-01 |
Family
ID=41657620
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101697568A Expired - Fee Related CN101645900B (en) | 2009-08-31 | 2009-08-31 | Cross-domain rights management system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101645900B (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101997876A (en) * | 2010-11-05 | 2011-03-30 | 重庆大学 | Attribute-based access control model and cross domain access method thereof |
| WO2012009877A1 (en) * | 2010-07-20 | 2012-01-26 | 上海交通大学 | Access method based on computable credibility in distributed multi-trust domain environment |
| CN102469083A (en) * | 2010-11-12 | 2012-05-23 | 金蝶软件(中国)有限公司 | User authentication method and apparatus thereof, and enterprise system |
| CN102571380A (en) * | 2010-12-16 | 2012-07-11 | 北京博阳世通信息技术有限公司 | Multi-instance GIS platform unified user management method and system |
| CN102823217A (en) * | 2010-04-01 | 2012-12-12 | 诺基亚西门子通信公司 | Certificate authority |
| CN103116819A (en) * | 2012-11-12 | 2013-05-22 | 成都锦瑞投资有限公司 | Property real-name system certification KEY management platform based on china financial certification authority (CFCA) certification standards and application thereof |
| CN104753902A (en) * | 2013-12-31 | 2015-07-01 | 上海格尔软件股份有限公司 | Service system verification method and device |
| CN104885425A (en) * | 2012-12-20 | 2015-09-02 | 瑞典爱立信有限公司 | Technique for enabling a client to provide a server entity |
| CN103106357B (en) * | 2012-11-12 | 2015-09-30 | 成都锦瑞投资有限公司 | Based on property system of real name authentication and authorization system and the method for CFCA Valuation Standard |
| CN105471579A (en) * | 2014-09-10 | 2016-04-06 | 阿里巴巴集团控股有限公司 | Trusted login method and device |
| CN106657156A (en) * | 2017-02-08 | 2017-05-10 | 济南浪潮高新科技投资发展有限公司 | Cloud computing access method based on cross domain identity authentication |
| CN108092777A (en) * | 2017-12-26 | 2018-05-29 | 北京奇虎科技有限公司 | The monitoring and managing method and device of digital certificate |
| CN109245896A (en) * | 2018-08-06 | 2019-01-18 | 上海汇招信息技术有限公司 | A kind of e-bidding method realizing CA and interconnecting |
| CN110019631A (en) * | 2017-12-28 | 2019-07-16 | 浙江宇视科技有限公司 | The processing method and processing device of multi-dimensional map |
| CN110569281A (en) * | 2019-08-30 | 2019-12-13 | 阿里巴巴集团控股有限公司 | Block chain transaction query method and system |
| CN111010368A (en) * | 2019-11-11 | 2020-04-14 | 泰康保险集团股份有限公司 | Authority authentication method, device and medium based on authentication chain and electronic equipment |
| CN112187808A (en) * | 2020-09-30 | 2021-01-05 | 徐凌魁 | Electronic traffic authentication platform and authentication method |
| CN113468511A (en) * | 2021-07-21 | 2021-10-01 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer readable medium and electronic equipment |
| CN113794718A (en) * | 2021-09-14 | 2021-12-14 | 交通运输信息安全中心有限公司 | Security authentication method and security authentication device for multiple application systems |
| US11336631B2 (en) | 2017-05-27 | 2022-05-17 | Huawei Technologies Co., Ltd. | Authorization method |
| CN114900336A (en) * | 2022-04-18 | 2022-08-12 | 中国航空工业集团公司沈阳飞机设计研究所 | Cross-unit secure sharing method and system for application system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117156440B (en) * | 2023-10-27 | 2024-01-30 | 中电科网络安全科技股份有限公司 | Certificate authentication method, system, storage medium and electronic equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286845B (en) * | 2008-05-12 | 2011-02-09 | 华中科技大学 | Control system for access between domains based on roles |
| CN101453475B (en) * | 2009-01-06 | 2012-07-04 | 中国人民解放军信息工程大学 | Authentication management system and method |
| CN101453476B (en) * | 2009-01-06 | 2011-12-07 | 中国人民解放军信息工程大学 | Cross domain authentication method and system |
-
2009
- 2009-08-31 CN CN2009101697568A patent/CN101645900B/en not_active Expired - Fee Related
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102823217A (en) * | 2010-04-01 | 2012-12-12 | 诺基亚西门子通信公司 | Certificate authority |
| US10567370B2 (en) | 2010-04-01 | 2020-02-18 | Nokia Solutions And Networks Oy | Certificate authority |
| US9979716B2 (en) | 2010-04-01 | 2018-05-22 | Nokia Solutions And Networks Oy | Certificate authority |
| CN102823217B (en) * | 2010-04-01 | 2016-06-29 | 诺基亚通信公司 | Certificate agency |
| WO2012009877A1 (en) * | 2010-07-20 | 2012-01-26 | 上海交通大学 | Access method based on computable credibility in distributed multi-trust domain environment |
| CN101997876B (en) * | 2010-11-05 | 2014-08-27 | 重庆大学 | Attribute-based access control model and cross domain access method thereof |
| CN101997876A (en) * | 2010-11-05 | 2011-03-30 | 重庆大学 | Attribute-based access control model and cross domain access method thereof |
| CN102469083A (en) * | 2010-11-12 | 2012-05-23 | 金蝶软件(中国)有限公司 | User authentication method and apparatus thereof, and enterprise system |
| CN102571380A (en) * | 2010-12-16 | 2012-07-11 | 北京博阳世通信息技术有限公司 | Multi-instance GIS platform unified user management method and system |
| CN103116819B (en) * | 2012-11-12 | 2016-12-21 | 成都锦瑞投资有限公司 | Property system of real name certification KEY based on CFCA Valuation Standard management platform and application thereof |
| CN103116819A (en) * | 2012-11-12 | 2013-05-22 | 成都锦瑞投资有限公司 | Property real-name system certification KEY management platform based on china financial certification authority (CFCA) certification standards and application thereof |
| CN103106357B (en) * | 2012-11-12 | 2015-09-30 | 成都锦瑞投资有限公司 | Based on property system of real name authentication and authorization system and the method for CFCA Valuation Standard |
| CN104885425B (en) * | 2012-12-20 | 2018-09-18 | 瑞典爱立信有限公司 | Enable a client to provide the technology of server entity |
| CN104885425A (en) * | 2012-12-20 | 2015-09-02 | 瑞典爱立信有限公司 | Technique for enabling a client to provide a server entity |
| CN104753902A (en) * | 2013-12-31 | 2015-07-01 | 上海格尔软件股份有限公司 | Service system verification method and device |
| CN104753902B (en) * | 2013-12-31 | 2019-03-26 | 格尔软件股份有限公司 | A kind of operation system verification method and verifying device |
| CN105471579A (en) * | 2014-09-10 | 2016-04-06 | 阿里巴巴集团控股有限公司 | Trusted login method and device |
| CN105471579B (en) * | 2014-09-10 | 2019-05-31 | 阿里巴巴集团控股有限公司 | A kind of trust login method and device |
| CN106657156A (en) * | 2017-02-08 | 2017-05-10 | 济南浪潮高新科技投资发展有限公司 | Cloud computing access method based on cross domain identity authentication |
| US11336631B2 (en) | 2017-05-27 | 2022-05-17 | Huawei Technologies Co., Ltd. | Authorization method |
| CN108092777A (en) * | 2017-12-26 | 2018-05-29 | 北京奇虎科技有限公司 | The monitoring and managing method and device of digital certificate |
| CN108092777B (en) * | 2017-12-26 | 2021-08-24 | 北京奇虎科技有限公司 | Method and device for supervising digital certificate |
| CN110019631B (en) * | 2017-12-28 | 2021-11-16 | 浙江宇视科技有限公司 | Method and device for processing multi-dimensional map |
| CN110019631A (en) * | 2017-12-28 | 2019-07-16 | 浙江宇视科技有限公司 | The processing method and processing device of multi-dimensional map |
| CN109245896B (en) * | 2018-08-06 | 2021-08-10 | 上海汇招信息技术有限公司 | Electronic bidding method for realizing CA interconnection and intercommunication |
| CN109245896A (en) * | 2018-08-06 | 2019-01-18 | 上海汇招信息技术有限公司 | A kind of e-bidding method realizing CA and interconnecting |
| CN110569281A (en) * | 2019-08-30 | 2019-12-13 | 阿里巴巴集团控股有限公司 | Block chain transaction query method and system |
| CN111010368A (en) * | 2019-11-11 | 2020-04-14 | 泰康保险集团股份有限公司 | Authority authentication method, device and medium based on authentication chain and electronic equipment |
| CN111010368B (en) * | 2019-11-11 | 2022-03-08 | 泰康保险集团股份有限公司 | Authority authentication method, device and medium based on authentication chain and electronic equipment |
| CN112187808A (en) * | 2020-09-30 | 2021-01-05 | 徐凌魁 | Electronic traffic authentication platform and authentication method |
| CN113468511A (en) * | 2021-07-21 | 2021-10-01 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer readable medium and electronic equipment |
| CN113794718A (en) * | 2021-09-14 | 2021-12-14 | 交通运输信息安全中心有限公司 | Security authentication method and security authentication device for multiple application systems |
| CN113794718B (en) * | 2021-09-14 | 2023-08-29 | 交通运输信息安全中心有限公司 | Security authentication method and security authentication device for multiple application systems |
| CN114900336A (en) * | 2022-04-18 | 2022-08-12 | 中国航空工业集团公司沈阳飞机设计研究所 | Cross-unit secure sharing method and system for application system |
| CN114900336B (en) * | 2022-04-18 | 2023-07-07 | 中国航空工业集团公司沈阳飞机设计研究所 | Cross-unit secure sharing method and system for application system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101645900B (en) | 2012-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101645900B (en) | Cross-domain rights management system and method | |
| Wang et al. | An improved authentication scheme for internet of vehicles based on blockchain technology | |
| CN100539501C (en) | Unified Identity sign and authentication method based on domain name | |
| EP2383946B1 (en) | Method, server and system for providing resource for an access user | |
| CN102594823B (en) | Trusted system for remote secure access of intelligent home | |
| CN101521569B (en) | Method, equipment and system for realizing service access | |
| JP2022504420A (en) | Digital certificate issuance methods, digital certificate issuance centers, storage media and computer programs | |
| JP4851767B2 (en) | Method for mutual authentication between certificate authorities using portable security token and computer system | |
| CN111372248A (en) | Efficient anonymous identity authentication method in Internet of vehicles environment | |
| CN102984252B (en) | Cloud resource access control method based on dynamic cross-domain security token | |
| US20090158394A1 (en) | Super peer based peer-to-peer network system and peer authentication method thereof | |
| CN101534192B (en) | System used for providing cross-domain token and method thereof | |
| CN101262342A (en) | Distributed authorization and validation method, device and system | |
| CN101193103B (en) | A method and system for allocating and validating identity identifier | |
| EP2487863A2 (en) | Enabling secure access to sensor network infrastructure using multiple interfaces and application based group key selection | |
| TW201008211A (en) | Method and system for managing network identity | |
| CN102195957A (en) | Resource sharing method, device and system | |
| CN105991650B (en) | A kind of transmission method and system of ID card information | |
| CN101388774A (en) | Method for automatically authenticate and recognize customer identity between different customers and login | |
| CN104683306A (en) | Safe and controllable internet real-name certification mechanism | |
| CN113079215B (en) | Block chain-based wireless security access method for power distribution Internet of things | |
| CN101883106A (en) | Network access authentication method and server based on digital certificate | |
| JP2023544529A (en) | Authentication methods and systems | |
| CN101547097B (en) | Digital media management system and management method based on digital certificate | |
| CN101119197A (en) | Contracting method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120801 Termination date: 20130831 |